We do something similar when preparing apps for backups, we block NEW incoming connections from our load balancers with a TCP Reset: iptables -A INPUT -p tcp --dport $appport --source $loadbalancerhost -m state --state NEW -j REJECT --reject-with-tcp-reset That seems to clue the load balancers in pretty fast that this node is no longer available, and allows for ESTABLISHED connections to continue - and we can safely perform local operations like when we wait for the app to finish starting and then unblock those connections. (Not directly related to OpenLDAP, but interesting for sysadmins who manage it.) -----Original Message----- From: openldap-technical [mailto:openldap-technical-bounces@openldap.org] On Behalf Of Michael Ströder Sent: Monday, February 15, 2016 7:32 AM To: Hallvard Breien Furuseth <h.b.furuseth(a)usit.uio.no&gt;; openldap-technical(a)openldap.org Subject: Re: Shutting down some slapd listeners Hallvard Breien Furuseth wrote: Yupp. I'd implement that with temporary local firewall rules suppressing TCP SYN packets. On Linux: iptables --syn. Local firewall rules are a good idea anyway. Ciao, Michael. “This message is intended only for the use of the addressee(s) and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not the intended recipient(s), you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, please erase all copies of the message and its attachments and notify the sender immediately.”